Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2021, 1:54 p.m.	Sept. 4, 2021, 1:58 p.m.

Size	669.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`34d8bda29d961c5757f3a8a0ef971205`
SHA256	`2409a78ac9ab93406bc5d9a812061af68e263f7ebeccadb95b1603b1ff128034`
CRC32	`DD05F027`
ssdeep	`12288:xmjRpnqeNQY5yaIMRMdARLIFGdpXEaToAJi2C+v4t8GcvhC4vMP7THlSZ:Ya2QY54eJIUdp55DvcCvg4vMjJS`
PDB Path	C:\winayelo\cefibuju\vosesolidiro\haxap-miyazes.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE32 - (no description)

build_2021-09-03_19-07.exe "C:\Users\test22\AppData\Local\Temp\build_2021-09-03_19-07.exe"
1092

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\winayelo\cefibuju\vosesolidiro\haxap-miyazes.pdb

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

RAXATOLENULOXEFINIVUVEPAVOVI

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 503808 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0233d000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 4, 2021, 1:54 p.m.	process_identifier: 1092 region_size: 864256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00084200', u'virtual_address': u'0x00001000', u'entropy': 7.9802838040443795, u'name': u'.text', u'virtual_size': u'0x00084020'}

entropy

7.98028380404

description

A section with a high entropy has been found

entropy

0.791167664671

description

Overall entropy of this PE file is high

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetect.malware1
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
FireEye	Generic.mg.34d8bda29d961c57
McAfee	Artemis!34D8BDA29D96
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 0056d16b1 )
K7AntiVirus	Trojan ( 0056d16b1 )
Cyren	W32/Kryptik.EWJ.gen!Eldorado
APEX	Malicious
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Fragtor.15279
MicroWorld-eScan	Gen:Variant.Fragtor.15279
Avast	FileRepMalware
Ad-Aware	Gen:Variant.Fragtor.15279
Sophos	Mal/Generic-S
McAfee-GW-Edition	BehavesLike.Win32.Emotet.jc
SentinelOne	Static AI - Malicious PE
Webroot	W32.Malware.Gen
Microsoft	Trojan:Win32/Azorult.RF!MTB
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Variant.Fragtor.15279
Acronis	suspicious
VBA32	BScope.Backdoor.Mokes
MAX	malware (ai score=82)
Malwarebytes	Trojan.MalPack
Rising	Trojan.Kryptik!1.D91D (CLASSIC)
Ikarus	Trojan.Win32.Azorult
eGambit	Unsafe.AI_Score_75%
Fortinet	W32/PossibleThreat
BitDefenderTheta	Gen:NN.ZexaF.34126.Pq0@aOIelmdG
AVG	FileRepMalware
MaxSecure	Trojan.Malware.300983.susgen

build_2021-09-03_19-07.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All